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Many  remote  attack  vectors 
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We  need  a  fundamentally  different  approach 


I7i 


•  State  of  the  art: 

•  Anti-virus  scanning,  intrusion  detection  systems,  patching  infrastructure 

•  This  approach  cannot  solve  the  problem. 

•  Focused  on  known  vulnerabilities;  can  miss  zero-day  exploits 

•  Can  introduce  new  vulnerabilities  and  privilege  escalation  opportunities 


October  2010  Vulnerability  Watchlist 


Vulnerability  Title 

Rx  Avail? 

Date  Added 

XXXXXXXXXXXX  XXXXXXXXXXXX  Local  Privilege  Escalation  Vulnerability 

No 

8/25/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Denial  of  Service  Vulnerability 

Yes 

8/24/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Buffer  Overflow  Vulnerability 

No 

8/20/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Sanitization  Bypass  Weakness 

No 

8/18/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Security  Bypass  Vulnerability 

No 

8/17/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multple  Security  Vulnerabilities 

Yes 

8/16/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Code  Execution  Vulnerability 

No 

8/16/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Use- After-Free  Memory  Corruption  Vulnerability 

No 

8/12/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Code  Execution  Vulnerability 

No 

8/10/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multple  Buffer  Overflow  Vulnerabilities 

No 

8/10/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Stack  Buffer  Overflow  Vulnerability 

Yes 

8/09/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Security-Bypass  Vulnerability 

No 

8/06/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multple  Security  Vulnerabilities 

No 

8/05/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Buffer  Overflow  Vulnerability 

No 

7/29/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Remote  Privilege  Escalation  Vuherability 

No 

7/28/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Cross  Site  Request  Forgery  Vuherability 

No 

7/26/2010 

XXXXXXXXXXXX  XXXXXXXXXXXX  Multple  Denial  Of  Service  Vulnerabilities 

No 

7/22/2010 

1/3  of  the  vulnerabilities 
are  in  security  software! 
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Lines  of  Code 
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Critical  Components  within  Reach  of  Formal  Methods 


♦Includes  non-security  relevant  code 
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High-Assurance  Component  Factory 
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Key  Challenges 

•  Reusable  components 

•  Composition 

•  Increasing  automation 

•  Scaling 

•  Concurrency 

•  Cyber-physical  integration 


High  Assurance:  Correctness,  Safety,  Security 
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Feedback  welcome! 


•  Promising  research  directions? 

•  Additional  challenges? 

•  Other  things  you  think  I  should  know? 


Contact  Information:  Kathleen.Fisher@darpa.mil 
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